Chrome Security
Audit risky Chrome extensions, stop AI-chat exfiltration, and decode HTTPS-First warnings. A 60-second DevTools check catches data theft permissions miss.
5 articles
Two Chrome extensions with a combined 900,000 installs were pulled from the Web Store in early 2026 after researchers found them quietly shipping users' ChatGPT and DeepSeek conversations to outside servers every 30 minutes. Both worked exactly as advertised. Both had good reviews. The data theft ran underneath the functionality, invisible to the people using them.
That case — Secure Annex named the pattern "Prompt Poaching" — shows where Chrome's real security risk sits in 2026. It is rarely the obvious sketchy download. It is the popular, useful extension that requests broad host permissions, then changes hands silently. Permissions you grant at install carry through every later update, including updates that follow an ownership transfer you never heard about. An extension with access to all URLs can read the full DOM of every page you open.
Chrome itself keeps shifting its security defaults too. Chrome 147 turns on HTTPS-First mode for Enhanced Safe Browsing users, warning before any HTTP page loads. Enhanced Safe Browsing trades privacy for protection by sending visited URLs to Google in real time. Knowing which defaults are on — and which extensions can see what — is the practical core of browser security now.
The audit is fast. Open an extension's service worker in DevTools, watch the network tab while you use the app it claims to enhance, and flag any request to a server you do not recognize. An extension that makes zero outbound requests cannot leak your data, whatever permissions it holds.
Chrome 149 Release Date + What Lands for Tab Users (2026)
Chrome 149 release date: stable June 2, 2026, build 149.0.7815.x. BFCache WebSocket fix and CSS Gap Decorations shipped; no new tab tools. Chrome 150: June 30.
FIX Chrome HTTPS Warning in Chrome 147 — 5 Fixes (2026)
Chrome 147 blocks HTTP sites with a scary warning. 95% of sites are safe — learn why you're seeing it and how to get past it in under 60 seconds.
Chrome 148 RELEASED: What Changed for Tab Users (2026)
Chrome 148 dropped May 5: Prompt API ships stable, lazy video loading lands, vertical tabs still flag-only. What actually changed for tab-heavy users.
STOP Extensions Stealing Your AI Chats: 5 Checks (2026)
900K users had ChatGPT & DeepSeek chats exfiltrated in 2026. How Prompt Poaching works, how to audit your extensions, and red flags before installing.
Chrome 147 Release Notes: EVERY Change for Tab Users (2026)
Chrome 147 stable April 7, 2026. HTTPS-First auto-enables for 1B users, vertical tabs stay flag-only, tab scrolling returns. Full breakdown with fixes.
Frequently Asked Questions
Can Chrome extensions read my passwords or private data?
An extension with broad host permissions (access to all URLs) can read the full DOM of any page you open, which includes form contents and on-screen text. As of June 2026, two extensions with 900,000 combined installs were caught exfiltrating AI chat transcripts this way. Dedicated password managers use isolated storage, but a malicious broad-permission extension is a real risk.
How do I check if a Chrome extension is safe?
Open chrome://extensions, enable Developer Mode, and click the extension's "service worker" link to open DevTools. In the Network tab, use the site the extension claims to help with and watch for outbound requests. As of June 2026, requests to unfamiliar analytics or third-party servers are a red flag; an extension making zero network requests cannot exfiltrate data.
What is Prompt Poaching and am I at risk?
Prompt Poaching, named by Secure Annex in early 2026, is the silent exfiltration of AI chat content (ChatGPT, DeepSeek, Claude) by extensions with permission to read those pages. As of June 2026, you are at risk if you have installed broad-permission productivity or "AI helper" extensions. Audit them in DevTools and remove any that contact servers unrelated to their stated function.
What changed with HTTPS warnings in Chrome 147?
Chrome 147 enables HTTPS-First mode by default for users with Enhanced Safe Browsing on, showing a full warning page before loading any HTTP-only site. As of June 2026, around 95% of public sites already use HTTPS and never trigger it — the warning mostly appears on old internal tools and router admin panels. You can bypass it once or disable HTTPS-First in chrome://settings.
Does zero telemetry actually make an extension safer?
Yes, and it is verifiable. Zero telemetry means the extension makes no outbound network requests — no analytics, no usage data, no sync to external servers — so all processing stays inside the browser. As of June 2026, you can confirm it by opening the service worker in DevTools and watching the Network tab: no requests means no channel to leak data, regardless of permissions held.
SuperchargePerformance
Tab suspension, ad blocking, and script control. Free.